A TSO submit fails with:

IKJ56251I USER NOT AUTHORIZED FOR SUBMIT+
YOUR TSO ADMINISTRATOR MUST AUTHORIZE USE OF THIS COMMAND

The same errors can occur for an STC that uses the TSO submit command which works on a z/OS 2.2 system, but now fails on a 2.3 system.

The LOGONID of the STC is USER0001 which does not have JCL as a TSO privilege.

On the z/OS 2.2 system works and the job is submitted successfully.

On the z/OS 2.3 system fails with message:

IKJ56251I USER NOT AUTHORIZED FOR SUBMIT+
YOUR TSO ADMINISTRATOR MUST AUTHORIZE USE OF THIS COMMAND

Is this a problem with z/OS 2.2 or z/OS 2.3?

The IBM message guide IKJ56251I message indicates: 

The 'IKJ56251I message Not authorized to submit' can occur if the user doing the submit does not have the JCL bit set in their logonid.

The reason the submit is allowed in z/OS 2.2 is because the LOGONID is 8 characters long - USER0001.
z/OS 2.2 and previous levels of z/OS did not allow for 8 character logonids to be validated as TSO users.
This means that the submit was allowed without checking the JCL attribute.

z/OS 2.3 now validates 8character logonids as TSO users.

Therefore, both releases of z/OS are processing correctly:

• z/OS 2.2 DOES NOT require JCL attribute to submit a job.
• z/OS 2.3 DOES require JCL attribute to submit a job.

To address the IKJ56251I message add the ACF2 LOGONID JCL privilege to the logonid, for example:

ACF
CHANGE USER0001 JCL